WordPress 2.9.2 Security Update Details

WordPress 2.9.2 Security Update

February 15, 2010 WordPress.org announced WordPress 2.9.2 release. WordPress development blog says about fixing the “…problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2“. Upgrade procedure is simple as usual. You can use the upgrade link at the top of admin dashboard page to upgrade WordPress version automatically. Other way is to change all WordPress files manually. There are no any changes in the database structure comparing with 2.9.1 version, just a few changes in the PHP source code. Check the details below.
These 10 files are changed in the 2.9.2 WordPress version comparing to 2.9.1 one:

readme.html

wp-comments-post.php

wp-includes/version.php

wp-includes/query.php

wp-includes/http.php

wp-includes/functions.php

wp-admin/menu.php

wp-admin/edit-category-form.php

wp-admin/includes/update-core.php

wp-admin/includes/plugin.php

So, to make the manual update and do not touch accidentally some WordPress files changed by you earlier, you can change just 10 files listed above.
Let’s look inside of updated files and see what the changes WordPress team made to enhance our loving blog platform.

readme.html

Just the version number was changed from 2.9.1 to 2.9.2 at lines 23, 26.

If you interested in more details for this fix, you can find a primary discussion on this issue at WordPress bug tracker.

functions.php

Function _search_terms_tidy() was updated. Version 2.9.1 was

function _search_terms_tidy($t){returntrim($t,"\"\'\n\r ");}?>

function _search_terms_tidy($t) {
return trim($t, "\"\'\n\r ");
}
?>

Version 2.9.2 became

function _search_terms_tidy($t){returntrim($t,"\"'\n\r ");}?>

function _search_terms_tidy($t) {
return trim($t, "\"'\n\r ");
}
?>

Slash was removed before single quote inside the string. Ticket for this issue at WordPress bug tracker can be found here.

menu.php

Code from line 198 was updated to fix admin menu access issue. Version 2.9.1 had

// Remove menus that have no accessible submenus and require privs that the user does not have.// Run re-parent loop again.foreach($menuas$id=>$data){// If submenu is empty...if(empty($submenu[$data[2]])){// And user doesn't have privs, remove menu.if(! current_user_can($data[1])){$_wp_menu_nopriv[$data[2]]=true;unset($menu[$id]);}}}

// Remove menus that have no accessible submenus and require privs that the user does not have.// Run re-parent loop again.foreach($menuas$id=>$data){if(! current_user_can($data[1]))$_wp_menu_nopriv[$data[2]]=true;// If submenu is empty...if(empty($submenu[$data[2]])){// And user doesn't have privs, remove menu.if(isset($_wp_menu_nopriv[$data[2]])){unset($menu[$id]);}}}

This entry was posted
on Wednesday, February 17th, 2010 at 12:59 and is filed under Security, WordPress.
You can follow any responses to this entry through the RSS 2.0 feed.
You can skip to the end and leave a response. Pinging is currently not allowed.